CVE-2026-33151

UNKNOWN 0.0

socket.io allows an unbounded number of binary attachments

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

25th

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

CWE	CWE-20 CWE-754
Vendor	socketio
Product	socket.io
Published	Mar 20, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for socketio socket.io

Be the first to know when new unknown vulnerabilities affecting socketio socket.io are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

socketio / socket.io

< 3.3.5 >= 3.4.0, < 3.4.4 >= 4.0.0, < 4.2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9 github.com: https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 github.com: https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf github.com: https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78